- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Confused about Forticlient EMS server and Fortigat...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Confused about Forticlient EMS server and Fortigate relationship.
Hi all,
I'm setting up the SSL VPN for my company and, I'm confused about how the VPN is licensed. In my previous experience with Fortinet products, you had to have a license for the number of VPN clients you were going to have. When we bought 4 new 300D's my sales person told me that the licensing is handled by the EMS server now. I have installed the EMS server and it's licensed for 150 clients. Where I get confused is how does the Fortigate know about the EMS server, or does it need to? Honestly, I'm not at the point where I need full enterprise management outside of what the Fortigate can do itself, and all I want is to ensure that I can have more than the 10 users connect.
Do I point the forticlients at the EMS server for telemetry, or the fortigate itself? If the Fortigate is doing he telemetry, how does it integrate with the EMS? The only thing I found in the cookbook was for implementing an EMS to manage internal devices on the LAN (ISFW). Again, all I'm interested in at this point is making sure that more than the default 10 clients can connect to the SSL VPN. I hope this makes sense.....
JB
Solved! Go to Solution.
4 Solutions
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We use EMS to manage our FortiClient installs. Unfortunately our supplier has no idea what licensing is required! They reckon, despite having 1500 EMS licenses we also need licensees on the FortiGates too (we want to enable the FortiClient enforcement on the LAN), although I don't see why. Before we had EMS the FortiClients would register to the FortiGates but we only had the default 10 licenses on each FortiGate so users would end up with an error message once they VPN'd in. Now the FortiClients are registered to EMS the FortiGate registration attempts have stopped. We've been pushing our supplier for a definitive answer for months now, I'm assuming the lack of understanding is on their part as I can't believe FortiNet don't know, it's their product!
We've not configured the telemetry feature yet, although all the FortiClients are sending logs to our FAZ. I may be wrong here but it feels to me that FortiNet are trying to remove the reliance on FortiGates when using EMS. We've have no config tie in between EMS and the FortiGates we have. I may be completely wrong though!
Confused? I certainly am :o
FYI, We have a number of support calls open at the moment as EMS is very buggy. We bravely rolled out FortiClient as the desktop AV here. Once the bugs are fixed it will be a great tool.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are two parts of FortiClient now, Endpoint Management, and Endpoint Telemetry and Compliance. Endpoint management is for configuration management and provisioning of FortiClient profiles (what you used to be able to do on the FortiGate), this is a separate piece of software that runs on a windows server as a member of the domain (The EMS). You get 10 free licenses, and from then on it’s a paid feature. The Telemetry and compliance part is licenses on the FortiGate, this allows you to do some network access control. This also comes with 10 free. Management == EMSManagement and compliance == EMS + Telemetry. To use the FortiClient in standalone SSL VPN mode only, there is no extra licensing required.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just deployed EMS for a client. They paid the $7 per license and were on their way. We are able to configure and set everything we wanted based on that. Compliance etc included because it will use the EMS for the compliance settings etc.
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been testing this out in my lab over the last week and my understanding is that if you want to enforce compliance (ie: users can't go through the firewall unless they have AV running, no critical vulnerabilities etc), then you'll need both the EMS license and the FortiGate license.
If you just have the EMS server license then you can centrally manage the Forticlients and push out configs, but the FortiGate will not be able to determine if ForitClient is installed and what it's compliance posture is.
The FortiClient needs to be registered to the FortiGate for it to determine the compliance posture.
To do this with both the FortiGate and EMS Server you'll need to import the FortiClient policy from the FortiGate to the EMS server. The EMS server will then sync the Forticlient policy from the FortiGate every X minutes.
On the EMS server you then setup Telemetry IP addresses (ie the FortiGate's IP address) and push them to the FortiClients.
Once the FortiClients get this, they will proceed to register to the FortiGate and confirm it's compliance status.
The FortiClient's logs and management will still be done through the EMS, but the config will be changed on the FortiGate (so ultimately the EMS server is being used as a proxy between the FortiGate config and FortiClient config). So you make a FortiClient profile change on the FortiGate, it gets updated on the EMS server, it then gets pushed to the FortiClient.
If you wanted 100 devices to be have both this central config management and compliance you will need to purchase 100 EMS licenses, plus the FortiClient license on your FortiGate (or FortiGates if you have multiple sites that you want to enforce compliance).
Hope it makes sense!
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We use EMS to manage our FortiClient installs. Unfortunately our supplier has no idea what licensing is required! They reckon, despite having 1500 EMS licenses we also need licensees on the FortiGates too (we want to enable the FortiClient enforcement on the LAN), although I don't see why. Before we had EMS the FortiClients would register to the FortiGates but we only had the default 10 licenses on each FortiGate so users would end up with an error message once they VPN'd in. Now the FortiClients are registered to EMS the FortiGate registration attempts have stopped. We've been pushing our supplier for a definitive answer for months now, I'm assuming the lack of understanding is on their part as I can't believe FortiNet don't know, it's their product!
We've not configured the telemetry feature yet, although all the FortiClients are sending logs to our FAZ. I may be wrong here but it feels to me that FortiNet are trying to remove the reliance on FortiGates when using EMS. We've have no config tie in between EMS and the FortiGates we have. I may be completely wrong though!
Confused? I certainly am :o
FYI, We have a number of support calls open at the moment as EMS is very buggy. We bravely rolled out FortiClient as the desktop AV here. Once the bugs are fixed it will be a great tool.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
There are two parts of FortiClient now, Endpoint Management, and Endpoint Telemetry and Compliance. Endpoint management is for configuration management and provisioning of FortiClient profiles (what you used to be able to do on the FortiGate), this is a separate piece of software that runs on a windows server as a member of the domain (The EMS). You get 10 free licenses, and from then on it’s a paid feature. The Telemetry and compliance part is licenses on the FortiGate, this allows you to do some network access control. This also comes with 10 free. Management == EMSManagement and compliance == EMS + Telemetry. To use the FortiClient in standalone SSL VPN mode only, there is no extra licensing required.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's interesting, so if you want to do the telemetry side you also need the (IPSec) VPN licenses on the FortiGate.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I just deployed EMS for a client. They paid the $7 per license and were on their way. We are able to configure and set everything we wanted based on that. Compliance etc included because it will use the EMS for the compliance settings etc.
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been testing this out in my lab over the last week and my understanding is that if you want to enforce compliance (ie: users can't go through the firewall unless they have AV running, no critical vulnerabilities etc), then you'll need both the EMS license and the FortiGate license.
If you just have the EMS server license then you can centrally manage the Forticlients and push out configs, but the FortiGate will not be able to determine if ForitClient is installed and what it's compliance posture is.
The FortiClient needs to be registered to the FortiGate for it to determine the compliance posture.
To do this with both the FortiGate and EMS Server you'll need to import the FortiClient policy from the FortiGate to the EMS server. The EMS server will then sync the Forticlient policy from the FortiGate every X minutes.
On the EMS server you then setup Telemetry IP addresses (ie the FortiGate's IP address) and push them to the FortiClients.
Once the FortiClients get this, they will proceed to register to the FortiGate and confirm it's compliance status.
The FortiClient's logs and management will still be done through the EMS, but the config will be changed on the FortiGate (so ultimately the EMS server is being used as a proxy between the FortiGate config and FortiClient config). So you make a FortiClient profile change on the FortiGate, it gets updated on the EMS server, it then gets pushed to the FortiClient.
If you wanted 100 devices to be have both this central config management and compliance you will need to purchase 100 EMS licenses, plus the FortiClient license on your FortiGate (or FortiGates if you have multiple sites that you want to enforce compliance).
Hope it makes sense!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's a great post, you seem to understand the FortiGate/FortiClient/EMS licensing better than Fortinet ;)
Having said that I had a lengthy conf call with Fortinet this week and can confirm what you've stated is absolutely correct.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mike:
Are you sure you're able to do compliance with the EMS only? My understanding is what Robert said above...that is you want compliance in addition to management, then you need licenses for the 'gates AS WELL AS on the EMS. If you can, I'd love to know where that's configured.
They clearly moving towards EMS and away from the Fortigates for endpoint control, and it's frustrating that we can't get both features with one license, preferably the EMS.
thanks,
Jim
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perhaps Fortinet will work deals in situations like that.
You do need the Gate to be able to enforce compliance etc for sure.
Mike Pruett
Mike Pruett
Fortinet GURU | Fortinet Training Videos
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Mike:
Yep, i verified that with my rep as well. My EMS licenses won't work on the Fortigates, and I need more than the 10 free licenses offered.
Too bad, i just can't afford to buy 2x licenses for the amount of clients I have to manage. Hopefully they will unify the licensing in the future.
thanks,
Jim
Related Posts
Labels
-
FortiGate
6,451 -
FortiClient
1,287 -
5.2
801 -
5.4
639 -
FortiManager
563 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
66 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
ZTNA
15 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
DNS
11 -
Interface
11 -
BGP
10 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.